Skip to content

Run manifest (.crane-run.json) #298

Description

@stillalearner

Title

feat(audit): write run manifest recording invocation context for every command

Output: what changes

After this issue — every command writes a .crane-run.json in its output directory:

$ crane export -n my-app -e ./export
... (normal output) ...

$ cat export/.crane-run.json
{
  "schemaVersion": "v1",
  "command": "export",
  "craneVersion": "v0.0.6",
  "cranelibVersion": "v0.1.6",
  "timestamp": "2026-04-18T14:32:01Z",
  "duration": "12.4s",
  "user": "ssingla",
  "hostname": "macbook.local",
  "flags": {
    "namespace": "my-app",
    "export-dir": "export",
    "context": "eks-prod"
  },
  "kubernetes": {
    "serverVersion": "v1.28.3",
    "context": "eks-prod"
  },
  "result": {
    "status": "completed_with_warnings",
    "resourcesProcessed": 47,
    "warnings": 3
  }
}

Written for export, transform, and apply.

Description

Context

There is no record of who ran what command with which flags at what time. Reproducing a migration run requires asking the operator. The run manifest captures the full invocation context so anyone can understand or reproduce it later.

User outcome

  • Security auditors can identify who, when, where, and with what flags.
  • Support engineers can reproduce the exact invocation.

Scope

  • Define RunManifest struct in internal/audit/run_manifest.go.
  • Write .crane-run.json at the end of export, transform, and apply Run() methods.
  • Capture: command, versions, timestamp, duration, user, hostname, flags, kubernetes context (export only), result status.

Acceptance criteria

  • crane export writes export/.crane-run.json.
  • crane transform writes transform/.crane-run.json.
  • crane apply writes output/.crane-run.json.
  • JSON includes schemaVersion, command, versions, timestamp, duration, flags, and result status.
  • Export run manifest includes kubernetes context (server version, context name).
  • Sensitive values (kubeconfig contents, tokens) are NOT recorded — only flag names and safe values.
  • go test ./... passes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions